119-HR-2659 Investigative Journalist Impact Analysis

Summary

What the bill does: H.R. 2659 (Strengthening Cyber Resilience Against State‑Sponsored Threats Act) creates a CISA‑chaired, FBI vice‑chaired interagency task force to coordinate Sector Risk Management Agencies (SRMAs) under NSM‑22 and deliver an initial classified assessment (with an unclassified executive summary) 540 days after establishment and annual reports thereafter. The House passed the measure on November 17, 2025, under suspension (Roll No. 287). [1]Congress.gov — Text - H.R. 2659 (119th): Strengthening Cyber Resilience Against…[4]White House (archived) — National Security Memorandum on Critical Infrastructur…[5]House.gov — Rep. Veronica Escobar – Vote Record (Roll 287 shows H.R. 2659 passa…

Why it matters: U.S. and allied agencies assess that PRC state‑sponsored actors such as Volt Typhoon have maintained stealthy, years‑long access in communications, energy, transport, and water/wastewater systems—positioning to disrupt during a crisis. The task force could tighten cross‑sector detection and mitigation, but exemptions from FACA and the Paperwork Reduction Act, plus heavy classification, create transparency and oversight trade‑offs. [3]CISA — PRC State‑Sponsored Actors Compromise and Maintain Persistent Access to…[6]GSA — When is FACA applicable? (requirements for openness, notice, records)[7]U.S. Department of Labor — Paperwork Reduction Act – Overview

The figures above reflect CBO scoring embedded in the committee report, FBI’s 2024 Internet Crime Report, and EPA OIG’s 2024 water‑sector vulnerability scan. [2]govinfo (GPO) — House Report 119-230 (includes CBO estimate) – Strengthening Cy…[8]FBI — FBI Releases Annual Internet Crime Report (IC3 2024)[9]EPA OIG — EPA OIG Management Implication Report: Cybersecurity Concerns Related…

Economic Effects

• Federal budget: CBO estimates about $5 million in authorizations over FY2025–2030 for the task force and reporting—minimal relative to DHS/CISA toplines. [2]govinfo (GPO) — House Report 119-230 (includes CBO estimate) – Strengthening Cy…
• Private‑sector compliance: The bill itself imposes no new reporting or security mandates on owners/operators; CIRCIA’s incident‑reporting duties are still pending a final rule and are not yet in effect. [1]Congress.gov — Text - H.R. 2659 (119th): Strengthening Cyber Resilience Against…[10]CISA — CIRCIA FAQs (status of rulemaking and effective date)
• Risk‑reduction upside: Coordinated cross‑sector analysis focused on PRC pre‑positioning could reduce the probability or duration of high‑impact outages that historically drive fuel and logistics costs (e.g., Colonial Pipeline’s 2021 shutdown). [3]CISA — PRC State‑Sponsored Actors Compromise and Maintain Persistent Access to…[11]U.S. Department of Energy — Colonial Pipeline Cyber Incident
• Health‑care and small‑business resilience: Recent cyberattacks (e.g., Change Healthcare) produced nationwide pharmacy and billing disruptions and liquidity strain for smaller providers; better federal coordination may speed guidance and support in similar crises. [12]Associated Press — Change Healthcare hack leads to billing delays and security…[13]Reuters — Fitch: Change Healthcare cyberattack could hit smaller pharmacies/pro…
• Market confidence: Regular (even if partly classified) federal risk assessments and published executive summaries can stabilize expectations for investors and insurers in critical‑infrastructure sectors, aligning with NSM‑22’s push for clearer roles and minimums. [1]Congress.gov — Text - H.R. 2659 (119th): Strengthening Cyber Resilience Against…[4]White House (archived) — National Security Memorandum on Critical Infrastructur…

Social Effects

• Public safety: U.S. agencies warn PRC actors have maintained access across civilian infrastructure; faster, unified federal playbooks can mitigate cascading effects on mobility, communications, and essential services during a crisis. [3]CISA — PRC State‑Sponsored Actors Compromise and Maintain Persistent Access to…
• Health‑care access: The Change Healthcare incident delayed prescriptions and disrupted authorizations nationwide, demonstrating how cyber events can impede care and wages; stronger federal coordination and outreach to operators could lessen patient impact next time. [12]Associated Press — Change Healthcare hack leads to billing delays and security…
• Water sector exposure: GAO and EPA OIG document persistent cyber weaknesses across drinking and wastewater systems, with implications for public health if controls are manipulated or operations disrupted. [14]U.S. GAO — Critical Infrastructure Protection: EPA Urgently Needs a Strategy to…[9]EPA OIG — EPA OIG Management Implication Report: Cybersecurity Concerns Related…
• Equity concerns: IC3 data show older adults suffer disproportionate cyber losses; improved federal warning and owner/operator outreach (as the bill’s awareness‑campaign plan contemplates) may particularly benefit vulnerable populations. [8]FBI — FBI Releases Annual Internet Crime Report (IC3 2024)[1]Congress.gov — Text - H.R. 2659 (119th): Strengthening Cyber Resilience Against…

Environmental Effects

• Cyber‑physical hazards: CISA warns OT/ICS compromises can open breakers, overfill tanks, or disable alarms—creating risks of spills, equipment damage, or unsafe discharges with environmental consequences. [15]CISA — Control System Defense: Know the Opponent (OT/ICS physical‑consequence a…
• Water quality risk: GAO finds that attacks on water/wastewater systems could produce unsafe chemical or bacterial levels; improving federal coordination and sector guidance may reduce such risks. [14]U.S. GAO — Critical Infrastructure Protection: EPA Urgently Needs a Strategy to…
• Evidence caveats: Some widely cited incidents (e.g., Oldsmar, 2021) are disputed on whether a true external cyber‑intrusion occurred—underscoring the need for rigorous fact‑finding and transparent unclassified reporting from the task force. [16]Wired — A Hacker Tried to Poison a Florida City’s Water Supply, Officials Say (…[17]ABC Action News (WFTS‑TV) — FBI and former city manager say Oldsmar cyberattack…

Temporal Analysis

1. 0–12 months after enactment: DHS/CISA stands up the task force (within 120 days); members align with existing efforts, define data needs, and start cross‑sector TTP assessments; no new private‑sector obligations. [1]Congress.gov — Text - H.R. 2659 (119th): Strengthening Cyber Resilience Against…
2. ~18–24 months: Initial classified report due 540 days after establishment, with an unclassified executive summary posted publicly; agencies may request resources/authorities based on identified gaps. [1]Congress.gov — Text - H.R. 2659 (119th): Strengthening Cyber Resilience Against…
3. Multi‑year horizon: Annual classified updates could harden defenses against high‑end state actors; effectiveness will hinge on robust dissemination of insights at the lowest classification level, consistent with NSM‑22. [4]White House (archived) — National Security Memorandum on Critical Infrastructur…
4. External dependency: Broader incident‑reporting visibility from CIRCIA will matter, but CIRCIA’s reporting rules are not yet effective until the final rule; timing affects the task force’s data completeness. [10]CISA — CIRCIA FAQs (status of rulemaking and effective date)

Unintended Consequences

• Duplication/coordination risk: CISA’s Joint Cyber Defense Collaborative (JCDC) and the FBI‑led NCIJTF already coordinate multi‑agency cyber operations; unless roles are crisply bounded, a new task force could fragment lines of effort. The bill allows coordination with preexisting bodies—use it. [18]CISA — Joint Cyber Defense Collaborative (JCDC) – overview[19]FBI — National Cyber Investigative Joint Task Force (NCIJTF) – mission[1]Congress.gov — Text - H.R. 2659 (119th): Strengthening Cyber Resilience Against…
• Transparency trade‑offs: Exempting the task force from FACA and the Paperwork Reduction Act speeds action but reduces public notice, meeting openness, and routine burden review—heightening the importance of detailed unclassified summaries. [6]GSA — When is FACA applicable? (requirements for openness, notice, records)[7]U.S. Department of Labor — Paperwork Reduction Act – Overview
• Overclassification risk: With reports largely classified, owners/operators may receive delayed or diluted guidance; NSM‑22’s directive to share at the lowest feasible classification should be enforced in practice. [1]Congress.gov — Text - H.R. 2659 (119th): Strengthening Cyber Resilience Against…[4]White House (archived) — National Security Memorandum on Critical Infrastructur…
• Narrow threat aperture: A PRC‑only mandate may miss concurrent ransomware and criminal campaigns that continue to disrupt hospitals, local governments, and critical manufacturing. Consider formal deconfliction with CIRCIA data and IC3 trends. [8]FBI — FBI Releases Annual Internet Crime Report (IC3 2024)

Assessment

Overall stance: Neutral. The bill’s modest federal cost and focus on a well‑documented national‑security risk argue for potential net benefits, provided it avoids duplicating JCDC/NCIJTF, delivers meaningful unclassified outputs, and synchronizes with forthcoming CIRCIA reporting. Absent these guardrails, transparency and coordination gaps could blunt its value. [2]govinfo (GPO) — House Report 119-230 (includes CBO estimate) – Strengthening Cy…[3]CISA — PRC State‑Sponsored Actors Compromise and Maintain Persistent Access to…[18]CISA — Joint Cyber Defense Collaborative (JCDC) – overview[19]FBI — National Cyber Investigative Joint Task Force (NCIJTF) – mission[10]CISA — CIRCIA FAQs (status of rulemaking and effective date)

Sourcing (selected)

• Bill text and structure: Congress.gov text of H.R. 2659. [1]Congress.gov — Text - H.R. 2659 (119th): Strengthening Cyber Resilience Against…
• House action: Member vote record documenting House passage on Nov. 17, 2025 (Roll 287). [5]House.gov — Rep. Veronica Escobar – Vote Record (Roll 287 shows H.R. 2659 passa…
• Budgetary effect: CBO estimate included in House Report 119‑230 (govinfo). [2]govinfo (GPO) — House Report 119-230 (includes CBO estimate) – Strengthening Cy…
• Threat baseline: CISA’s Feb. 7, 2024 joint advisory on PRC state‑sponsored actors (Volt Typhoon). [3]CISA — PRC State‑Sponsored Actors Compromise and Maintain Persistent Access to…
• Framework: NSM‑22 (White House) on critical‑infrastructure roles and risk management. [4]White House (archived) — National Security Memorandum on Critical Infrastructur…
• Existing coordination bodies: JCDC (CISA) and NCIJTF (FBI). [18]CISA — Joint Cyber Defense Collaborative (JCDC) – overview[19]FBI — National Cyber Investigative Joint Task Force (NCIJTF) – mission
• Historical economic disruption: DOE’s Colonial Pipeline cyber incident page. [11]U.S. Department of Energy — Colonial Pipeline Cyber Incident
• Healthcare disruptions: AP and Fitch/Reuters coverage of the 2024 Change Healthcare outage. [12]Associated Press — Change Healthcare hack leads to billing delays and security…[13]Reuters — Fitch: Change Healthcare cyberattack could hit smaller pharmacies/pro…
• Population‑level loss trends: FBI’s 2024 IC3 release. [8]FBI — FBI Releases Annual Internet Crime Report (IC3 2024)
• Water sector risk: GAO 2024 report and EPA OIG 2024 scan. [14]U.S. GAO — Critical Infrastructure Protection: EPA Urgently Needs a Strategy to…[9]EPA OIG — EPA OIG Management Implication Report: Cybersecurity Concerns Related…
• OT/ICS physical‑consequence guidance: CISA “Control System Defense: Know the Opponent.” [15]CISA — Control System Defense: Know the Opponent (OT/ICS physical‑consequence a…
• Process/oversight context: FACA and PRA overviews (GSA; DOL). [6]GSA — When is FACA applicable? (requirements for openness, notice, records)[7]U.S. Department of Labor — Paperwork Reduction Act – Overview